Posted
by
timothy
on Sunday March 23, 2014 @06:46AM
from the from-the-minds-at-huawei dept.

An anonymous reader writes with this news from MIT's Technology Review: "Like other federal agencies, the NSA is compelled by law to try to commercialize its R&D. It employs patent attorneys and has a marketing department that is now trying to license inventions ... The agency claims more than 170 patents ... But the NSA has faced severe challenges trying to keep up with rapidly changing technology. ... Most recently, the NSA's revamp included a sweeping effort to dismantle ... 'stovepipes,' and switch to flexible cloud computing ... in 2008, NSA brass ordered the agency's computer and information sciences research organization to create a version of the system Google uses to store its index of the Web and the raw images of Google Earth. That team was led by Adam Fuchs, now Sqrrl's chief technology officer. Its twist on big data was to add 'cell-level security,' a way of requiring a passcode for each data point ... that's how software (like the infamous PRISM application) knows what can be shown only to people with top-secret clearance. Similar features could control access to data about U.S. citizens. 'A lot of the technology we put [in] is to protect rights," says Fuchs. Like other big-data projects, the NSA team's system, called Accumulo, was built on top of open-source code because "you don't want to have to replicate everything yourself," ... In 2011, the NSA released 200,000 lines of code to the Apache Foundation. When Atlas Venture's Lynch read about that, he jumped—here was a technology already developed, proven to work on tens of terabytes of data, and with security features sorely needed by heavily regulated health-care and banking customers.'"

Let me get this straight; the NSA (and the other three letter agencies it serves) are willing to blatantly and flagrantly violate the US Constitution, US law, international treaties, the trust of US allies and probably even the boy scout oath along the way, but it heeds the open source licensing model???

I think there are a few problems with this:

Like others have posted, the open source community is going to have to look at the released code very very carefully. The public has to assume that the NSA will include backdoors or obscure weaknesses if at all possible.

The other half of this is how in the hell this release of code passed any internal security review in order to have the release authorized. If *I* were in charge of an intelligence agency, I certainly would use Open Source code when and where practical, but I would NOT submit my code to any third party external to my nations intelligence community. My reasoning is that any code my organization released could be used as clues to figure out my agencies capabilities and current operations. Even something as seemingly innocuous as the code for mandatory access restrictions could be helpful to an enemy because analysis of it would at least allow the enemy to rule out certain forms of attack.

Oh sure, you could make the argument that releasing better code to the world makes everybody using that code base safer, depriving malicious agents of any existing exploits they have in their tool kits and that was probably among the reasons the NSA based its decision on. The problem I have with that argument is that, in other areas the NSA has proven that it is willing to deliberately weaken code that is in public use so as to add to their own tool kits. To fix existing weaknesses while also deliberately creating others seems illogical and self defeating to me...